Monthly Archives: April 2012

One aspect of the Check Point SecurePlatform OS that I struggle to get my head around is backups. There are a few different options, and during the course of researching an upgrade I came across the best explanation I’ve seen yet. I’ve decided to grab a copy of the relevant text and post it in my blog for future reference here.

Oversimplified Executive Summary

upgrade_export contains just Check Point configuration

A backup is an upgrade_export plus SPLAT OS configuration

A snapshot is a backup plus binary files, both Check Point and SPLAT OS

As a general rule of thumb, if your restoring on the same hardware a snapshot would be the easiest to use since it contains the most info and an upgrade_export would be the worst, since you’d have to manually restore the most stuff.

upgrade_export

It doesn’t backup any OS (i.e. SPLAT) settings, it only backup up CheckPoint settings

It will let you export on one OS and then import on a different OS (i.e. go from Windows to SPLAT)

You can upgrade_import on different hardware (i.e. go from IBM to HP)

You can restore an export from an older version to a newer version of CheckPoint. A SPLAT backup/restore requires that you have the exact same versions. Note that when upgrading from an older to newer version, you must use the newer version’s upgrade_export utility to create the export file.

It restores the product list as well. The SPLAT restore command won’t restore the Check Point settings if you don’t have the exact same products (and product versions) installed.

backup

A SPLAT backup will back up both the SPLAT OS settings as well as the CheckPoint settings

Basically it’s an upgrade_export with OS settings added in

Restoring a backup file requires the exact same software installation. I.e. you can’t restore a backup from R55 on to R60 (the HFA level must match as well). The installed product list must match as well. Note that you can still restore the OS settings even if your installed Check Point product list doesn’t match.

The SPLAT OS settings are hardware specific. If you restore the system settings you must restore on the same hardware. However, if you only restore the Check Point settings you can restore on different hardware. Restoring just the Check Point settings is essentially the same thing as doing an “upgrade_import” of an exported file.

snapshot

A snapshot is even better than a backup since it contains binary files. I.e. you can revert from R60 to R55 with a snapshot. The downside to this is that a snapshot file is much larger than an upgrade_export or backup file.

A snapshot can also roll you forward for minor software changes. For example if I revert from R60 HFA05 to HFA01 I can later revert back to R60 HFA05 from R60 HFA01

A snapshot cannot revert to a newer major release of Check Point. I.e. you can’t revert from R55 to R60.

If you’re reinstalling SPLAT on the same hardware you don’t have to install any HFA’s or change any configuration. Simply reverting to your saved snapshot file will restore all configurations and HFAs. The only stipulation is that the major software version must match. I.e. a R60 snapshot file will only work on a R60 install (regardless of HFA level).

You can only revert on the same hardware, since the snapshot file contains hardware specific SPLAT settings.

An exception to the rules

If you’re feeling lucky I’ve noticed that you can actually restore a backup file or snapshot file on different hardware as long as you:

Delete “/etc/sysconfig/hwconf” (this is automatically re-created during the reboot)

In the case of a snapshot file also delete “/etc/modules.conf

**Backups don’t contain this file

**modules.conf controls which drivers are loaded

**This is be automatically re-created during the reboot

Remove the “hwaddr” lines from /etc/sysconfig/netconf.C

Reboot

You must remove the hwaddr lines since the firewall will use the MAC addresses stored in the snapshot/backup file, not your network card’s physical MAC addresses. You can verify which MAC addresses you’re using with these commands:

ifconfig | grep HWaddr – This shows which MACs you’re currently using

grep hwaddr /etc/sysconfig/hwconf -This should contains your NICs’ physical MAC addresses. If in doubt, delete this file, reboot and this file will be automatically created on startup.

grep hwaddr /etc/sysconfig/netconf.C -This shows which MACs your server is configured to use. If there are no “hwaddr” lines, then your NIC’s physical MACs will be used. If there are no “hwaddr” lines you can create them by running “cpnetconf store“.

To remove the hwaddr lines in “/etc/sysconfig/netconf.C” run these commands:

This blog post details how to back up and restore Check Point Security Management Servers and Security Gateways running on the SecurePlatform OS, on Open Server hardware.

There are two types of backup available – Snapshot and Backup.

**note** it is recommended to only carry out backup procedures during a maintenance window due to the performance impact it will have on the device and the fact that the snapshot process will stop and re-start the Check Point services. Also, be aware that backing up a management server will fail if any SmartConsole connections are active.

Also, there is a third backup option for Management servers, called Upgrade Export which is used when you are upgrading to a newer version of the OS. For a fantastic overview of all the options, take a look at this post on the excellent CP Shared forum.

Snapshot

A snapshot takes an image of the whole system, including device drivers, HFA’s and Hotfixes. Typical scenarios where you would want to use the snapshot method would be:

You are about to make a major change to the system eg. software upgrade. Take a snapshot prior to the upgrade and if it all goes horribly wrong you can always reset the box back to the exact state it was in before you broke it (useful to prevent tears/tantrums in the early hours of the morning during your change window)

Snapshot after an upgrade, and use it as a means to rebuild the box if it dies. Restore the snapshot and then and add the most recent backup (think of as incremental backups) to get you up and running again.

The snapshot will generate a large file (typically at least 1GB for a SCS) and can only be restored onto the same machine ie. same hardware and OS version. Remember also to copy the snapshot file off the box to another location on your network, otherwise the snapshot is completely useless if the hard drive fails (the same goes for a backup).

Snapshot via the CLI:

run the command: snapshot

select the location you wish to save the file to, supply any credentials for ftp or scp servers, and supply a name for the snapshot file

if you select a local, the snapshot file will be created in /var/CPsnapshot/snapshots, so copy the file from here into a safe location on your network if you selected the local option in step 2

Rather than follow the menu prompts you you can specify other parameters with the command, such as the name you want to give the file and your remote server details. To see a list of options type snapshot -h.

For example, to take a snapshot and copy it to your TFTP server with the file name “scs_snapshot_20052012”:

[SCS]# snapshot -t 192.168.10.10 scs_snapshot_20052012

To restore from a snapshot:

You can restore a snapshot from a file located in /var/CPsnapshot/snapshots, or from a network location. Simply type the command revert in expert mode, select the source (local, tftp, ftp, scp server) and file name.

As with the snapshot command, you can specify extra options. For a list of options available with this command, type revert -h.

Backup

A backup is very similar to a snaphot, in that in contains all the Check Point configuration, networking settings (routing info etc), but it does not include device drivers, HFA’s and Hotfixes. The the idea is that you would restore the backup onto onto the same machine ie. same hardware, OS, Check Point version and patch level.

Backups can be run without stopping the Check Point services, and the backup files are typically much smaller than with a snapshot (as they contain only the configuration information).

Backup via the CLI:

run the command: backup

by default the backup file will be created in /var/CPbackup/backups, so copy the file from here into a safe location on your network

as with snapshots, you can supply parameters with the command such as the FTP server details and also schedule a backup. type backup -h for more info.

To restore from a backup:

In order to restore from a back up, you must first have installed SPLAT and all the required Check Point components and hot fixes etc. You can restore a backup from a file located in/var/CPbackup/backups, or from a network location. Simply type the command restore, select the source (local, tftp, ftp, scp server) and file name.

Once you’ve selected the back up file to restore from, you can then chose to modify which information to restore, the “system” or “cp_products”. So for example if you wanted to restore your backup onto new hardware, you could first install the OS, and then just selectively restore the Check Point configuration.

As with the backup command, you can specify extra options. For a list of options available with this command, type restore -h.

Backup via the WebUI:

1. log onto the device via https://<IP-Address> (the default port is 443 unless it has been changed to avoid a clash with SSL VPN)

2. select Device –> Backup –> Back Up Now

3. select the location you wish to save the file to, supply any credentials for ftp or scp servers, and optionally select to include logs files in the backup. Then click Apply

4. click Yes to proceed. (on a management server note the warning to close GUI clients)

5. to view the status of the backup, click View Backup Log

**note** it is not possible to restore from a backup via the WebUI, it has to be done via the CLI.

Networking:

eth_set eth0 100f (sets the speed and duplex of eth0 to 100Mb Full Duplex – survives a reboot)

ethtool eth0 (displays the settings for interface eth0 such as speed/duplex etc

netstat -rn (to show the routing table of your device)

ifconfig ( to show the list of available interfaces)

tcpdump -i eth0 -s 1500 net 10.200.1.0/24 -w/var/tmp/xxw.pcap

* If you want to filter based on the network address, you should put as above, if filter based on host, change it to ‘host 10.200.1.1’.
**The -s 1500 indicate the normal 1500 size packet you want to capture. If you don’t define 1500, the packets captured will show incomplete details.
***-w is used to save the files to a specific folder. By defining the file extension with .pcap, you’d be able to double click the file to open it via ethereal.

netstat -rn | more (displays the routing table, without resolving names – if you wish to display it per page, use | more at the end of your command line)

I recently to needed to upgrade the Software Image on a Cisco ASA 5510 security appliance from version 8.2(2) to 8.2(5). This process also required upgrading the ASDM software to version 6.4(5) so that the newly upgraded appliance could still be managed via the GUI.

The process for both pieces of the upgrade is very straight forward, so here goes:

Upgrading the ASA image from 8.2(2) to 8.2(5)

Step 1. Copy the new IOS software image from a TFTP server to the ASA, using the following commands: